inetaf / tcpproxy

Proxy TCP connections based on static rules, HTTP Host headers, and SNI server names (Go package or binary)
https://pkg.go.dev/github.com/inetaf/tcpproxy
Apache License 2.0
1.26k stars 157 forks source link

SNI matcher fails on large ClientHello #40

Open orozery opened 8 months ago

orozery commented 8 months ago

func clientHelloServerName(br *bufio.Reader) (sni string) peeks the connection to read the entire client hello packet. If read was successful, the client hello bytes are passed in to Go's tls to parse the packet and extract the SNI.

The client hello is peeked using a bufio.Reader, which is initialized by (p *Proxy) serveConn, using br := bufio.NewReader(c). The call to bufio.NewReader initializes an internal backing buffer of size 4K. If the client hello is bigger than 4K, the bufio.Reader.Peek call fails with bufio.ErrBuffFull, and this directly leads to the failure of the SNI matcher.

Specifically, I've been testing with Envoy as a TLS client which I've seen producing a client hello of size 5476 bytes (>4K). I've attached a sample tcpdump capture. big_client_hello.zip

For reference, Go's TLS implementation supports client hellos of up-to 64KB: https://github.com/golang/go/blob/cda1e40b44771f8a01f361672cba721d0f283683/src/crypto/tls/common.go#L65

My personal suggestion is that we increase our bufio.Reader from the default 4K size to 64KB size.